Skip to content

Instantly share code, notes, and snippets.

View dlee35's full-sized avatar

Dustin Lee dlee35

33 followers · 3 following
View GitHub Profile
@dlee35
dlee35 / 6503_winlogbeat_autoruns.conf
Created October 31, 2019 16:38
filter {
if "autorunstowin" in [tags] {
kv {
prefix => "[event_data]"
remove_char_key => "\ "
transform_key => "lowercase"
field_split => "\n"
value_split => ":"
}
mutate {
@dlee35
dlee35 / 6500_winlogbeat_sysmon.conf
Created October 31, 2019 16:40
# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat
filter {
if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
@dlee35
dlee35 / esa_rule
Last active May 14, 2020 16:56
Qbot ESA Rule
/*
Version: 2
*/
@Name('Module_QbotCampaign_Alert')
@Description('Current Qbot campaigns attempt to download a supposed PNG file with a filename consisting of between 4-8 numeric characters that is actually an EXE. This is a good post infection IoC.')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event
@dlee35
dlee35 / app_rule
Created May 14, 2020 16:56
Qbot App Rule
service = 80 && filename regex '[0-9]{4,8}\.png' && filetype = 'windows executable'
@dlee35
dlee35 / AO4-185.245.62.231.md
Last active March 6, 2022 17:59
Attack Observation Four - Notes (185.245.62.231)

IP info:

ip: "185.245.62.231",
city: "Frankfurt am Main",
org: "AS200303 Jan Philipp Waldecker trading as LUMASERV Systems",
postal: "60306",
timezone: "Europe/Berlin"

test.sh (f0869b01daa7d4ca611de720e87a8423c5ab03b194d4dfe92b54302a7ee74ceb):